Identify the endpoints required for Microsoft 365 to function properly
Because Microsoft 365 is a Software as a Service (SaaS) application, it has a large number of URLs and IP addresses representing Microsoft 365 service front-end servers. These URLs and IP addresses are referred to as endpoints. They can be used by customers to identify specific network traffic that's destined for Microsoft 365.
The following table identifies the IP Addresses and URLs that are required for Microsoft 365 to function correctly.
Note
The Row column identifies whether there's a specific subnet you must use if configuring the routing table for your network. The ExpressRoute for Microsoft 365 BGP Communities column identifies whether Microsoft 365 IP prefixes advertised over ExpressRoute have service-specific BGP community values.
Row
Purpose / Destination
ExpressRoute for Microsoft 365 BGP Communities
CIDR Address
Port
1
Required: Internet egress and DNS resolution as close to the user as possible. Ensure public resources such as certificate revocation lists are accessible. Destination: Microsoft 365 uses many different certificate providers. See the Office 365 Certificate Chains site for the complete list of known Microsoft 365 root certificates that customers may come across when accessing Microsoft 365.
No
N/A
TCP 80 and 443
2
Required: Microsoft 365 portal Destination: *.office365.com admin.microsoft.com
No
TCP 443
3
Required: Microsoft 365 portal and shared infrastructure (including Cloud App Security and Delve) Destination: *.portal.cloudappsecurity.com *.us.portal.cloudappsecurity.com *.eu.portal.cloudappsecurity.com *.eu2.portal.cloudappsecurity.com *.us2.portal.cloudappsecurity.com *.us3.portal.cloudappsecurity.com <tenant>.onmicrosoft.com account.office.net agent.office.net apc.delve.office.com aus.delve.office.com can.delve.office.com delve.office.com eur.delve.office.com gbr.delve.office.com home.office.com ind.delve.office.com jpn.delve.office.com kor.delve.office.com lam.delve.office.com nam.delve.office.com portal.office.com outlook.office365.com suite.office.net webshell.suite.office.com office.com
Yes
TCP 443
4
Required: Microsoft 365 Aria service (used with Skype for Business Online, Microsoft Teams, StaffHub, Outlook App, and other services). Destination: *.aria.microsoft.com browser.pipe.aria.microsoft.com mobile.pipe.aria.microsoft.com
Yes
TCP 443
5
Required: Microsoft 365 portal (including shared Telemetry) Destination: portal.microsoftonline.com clientlog.portal.office.com nexus.officeapps.live.com nexusrules.officeapps.live.com
No
portal and shared IP ranges - Internet-only IPs.
TCP 443
6
Required: shared infrastructure, help, and CDNs Destination: amp.azure.net *.o365weve.com auth.gfx.ms appsforoffice.microsoft.com assets.onestore.ms az826701.vo.msecnd.net c.microsoft.com c1.microsoft.com client.hip.live.com contentstorage.osi.office.net dgps.support.microsoft.com learn.microsoft.com groupsapi-prod.outlookgroups.ms groupsapi2-prod.outlookgroups.ms groupsapi3-prod.outlookgroups.ms groupsapi4-prod.outlookgroups.ms learn.microsoft.com msdn.microsoft.com platform.linkedin.com products.office.com prod.msocdn.com r1.res.office365.com r4.res.office365.com res.delve.office.com shellprod.msocdn.com support.content.office.net support.microsoft.com support.office.com technet.microsoft.com templates.office.com video.osi.office.net videocontent.osi.office.net videoplayercdn.osi.office.net
No
N/A
TCP 443
7
Required: Security and Compliance Center, including audit APIs, and Advanced eDiscovery Destination: *.manage.office.com *.protection.office.com manage.office.com protection.office.com
Yes
TCP 443
8
Optional: Security and Compliance Center PST Import and eDiscovery Export Destination: *.blob.core.windows.net
No
N/A
TCP 443
9
Optional: third-party Office integration (including CDNs) Destination: *.helpshift.com *.localytics.com analytics.localytics.com api.localytics.com connect.facebook.net firstpartyapps.oaspapps.com outlook.uservoice.com prod.firstpartyapps.oaspapps.com.akadns.net rink.hockeyapp.net sdk.hockeyapp.net telemetryservice.firstpartyapps.oaspapps.com web.localytics.com webanalytics.localytics.com wus-firstpartyapps.oaspapps.com
No
N/A
TCP 443
10
Optional: some Microsoft 365 features require endpoints within these domains. (including CDNs) Note: Many specific FQDNs within these wildcards have been published recently as Microsoft works to either remove or better explain its guidance relating to these wildcards. Destination: *.microsoft.com *.msocdn.com *.office.com *.office.net *.onmicrosoft.com
No
N/A
TCP 80 and 443
11
Optional: Microsoft Azure RemoteApp Destination: liverdcxstorage.blob.core.windowsazure.com telemetry.remoteapp.windowsazure.com vortex.data.microsoft.com
No
N/A
TCP 443
12
Optional:
Forms
StaffHub
captcha services
Destination: *.blob.core.windows.net *.hockeyapp.net *.sharepointonline.com *.staffhub.office.com api.office.com enterpriseregistration.windows.net dc.applicationinsights.microsoft.com dc.services.visualstudio.com forms.microsoft.com forms.office.com graph.windows.net manage.office.com mem.gfx.ms office365servicehealthcommunications.cloudapp.net securescore.office.com signup.microsoft.com staffhub.ms staffhubweb.azureedge.net staffhub.office.com staffhub.uservoice.com weu-000.forms.osi.office.net wus-000.forms.osi.office.net neu-000.forms.osi.office.net eus2-000.forms.osi.office.net ea-000.forms.osi.office.net watson.telemetry.microsoft.com wu.client.hip.live.com
No
N/A
TCP 443
13
Optional: Import Service for PST and file ingestion Destination: refer to the import service for more requirements.
14
Optional: Remote Connectivity Analyzer - Initiate connectivity tests. Destination: testconnectivity.microsoft.com
No
13.67.59.89/32 40.69.150.142/32 40.85.91.8/32 104.211.54.99/32 104.211.54.134/32
TCP 80 and 443
15
Optional:Remote Connectivity Analyzer - Execution of the tests selected by the customer. Source of network requests: testconnectivity.microsoft.com Destination: on-premises systems for email and collaboration.
No
customer IP ranges
80, 443, 25, POP3 on 110, 995, or Custom, IMAP4 on 143, 993, or Custom
16
Optional:Microsoft Support and Recover Assistant for Office 365 - validate single sign-on user credentials. Source:
- o365diagnosticsbasic-eus.cloudapp.net (104.211.54.99)
- o365diagnosticworker-eus.cloudapp.net (104.211.54.134)
Destination: on-premises STS
No
customer IP ranges
customer configurable. Typically TCP 443
Additional reading. For more information, see the following article on optional URL’s and IP address ranges.